aspose file tools*
The moose likes Servlets and the fly likes web app security issues Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "web app security issues" Watch "web app security issues" New topic
Author

web app security issues

Adrian Perry
Ranch Hand

Joined: Jul 21, 2005
Posts: 42
Hi,

I am trying to implement web app security. I have a web-app called security running on my tomcat. I am able to implement authentication and authorization,but am not able to implement data confidentiality. The problem that I am running into are listed below:

1) Whenever I try to implement data confidentiality, I get a page cannot be displayed error. But when I comment out the <user-data-constraint> element in web.xml, it works ok. So I am unable to run a secured HTTPS over SSL request.

2) When I do not have <http-method> element, why does it allow access to my servlet...I guess it should not?

3) When I have only POST as the constaint method ie <http-method>POST</http-method>, then the first page that get loaded is the welcome file...the container does not ask for authentication. The welcome file (which in this case happens to be form.html), then does authentication on submit. But if we have <http-method>GET</http-method>, then container authenticates and does not load the welcome page, but loads it only after authentication....Can anybody tell me why this discrepency.

4) I generally type each user with their password and roles in tomcat-user.xml. How to configure this using database such as oracle or mysql. I am sure we do not type this info in tomcat-users.xml in real time app.

My web.xml file looks like this. Kindly tell me what aspect I am overlooking. Hoping for the response on all 4 aspects.


MY web.xml


<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<welcome-file-list>
<welcome-file>form.html</welcome-file>
</welcome-file-list>

<servlet>
<servlet-name>Security</servlet-name>
<servlet-class>com.example.web.Secure</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>Security</servlet-name>
<url-pattern>/secure.do</url-pattern>
</servlet-mapping>

<security-role>
<role-name>tomcat</role-name>
<role-name>manager</role-name>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityCheck</web-resource-name>
<url-pattern>/*</url-pattern>

<http-method>GET</http-method>
<!--http-method>POST</http-method-->
</web-resource-collection>

<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>

<!--user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint-->

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
[ July 20, 2006: Message edited by: Bear Bibeault ]
Colin Shine
Greenhorn

Joined: Aug 12, 2005
Posts: 26
With regard to point 4, you can configure Tomcat to use a JDBC realm, which is an implementation of Tomcat's 'Realm' interface. The default implementation that comes 'out of the box' will read user info from a flat text file (tomcat-users.xml), but a JDBC realm will read from a db of your choice.

Configure it in server.xml as follows:



userTable - the table containing the user info
userNameCol - the column name containing usernames
userCredCol - the coumn name containing passwords
roleNameCol - the column name containing the roles
userRoleTable - the table mapping users to roles
Colin Shine
Greenhorn

Joined: Aug 12, 2005
Posts: 26
With regard to the other points, have you configured an SSL connector for Tomcat? Check out

http://tomcat.apache.org/tomcat-5.5-doc/connectors.html

and

http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42929
    
  68
A lot of good information on Tomcat realms and how to set them up is contained in the Tomcat documentation.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: web app security issues